I see you guys are all eager to start the thread in that direction

Its poor on Google's part and needs fixing. I work in IT. defects happen. It doesnt reflect well on the OS though.

I believe it still requires you to have installed a 'dodgy' app to allow access to 95% of people will have nothing to fear .....

PCs have 'exploits found' quite regularly and its only extreme ones that make it to the press.

Got a link to info on that? That would be in direct conflict with Steve Job's view on privacy and location sharing.

In Apple's own words:



It's not about tracking you though, which is what another FM suggests.

I wonder how many of those concerned with privacy are documenting and mapping out their lives voluntarily via social networking.

Android flaw lets attackers modify apps without breaking signatures

"The vulnerability stems from discrepancies in how Android apps are cryptographically verified, allowing an attacker to modify application packages (APKs) without breaking their cryptographic signatures."

That's quite a security hole there It makes digital signing meaningless.

Do side loaded apps use a signature?
It seems quite a bigger security hole when no one understands it.

To clarify. The exploit would allow an app to be approved for the app store. Maliciously modified but still appear to the app store as the non malicious version.

It would be pertinent in situations like when sky had their play account hacked.

I still think the risk is minimal. Too many things have to come together for it to be a significant threat in the near term.

Assuming it can be fixed.

Google version of digital signing can only guarantee that once upon a time an owner of the certificate a file is signed with had signed some version of that file. Nothing else. Maybe chances of the exploit are not big, but the question is where else they used this.

It can and should be fixed, it's embarrassing and dangerous.

more scaremongering. Hands up who has ever, or even personally knows anyone who has, had malware on their Android device?

so for it to actually work, the exploiter would need to take control of the developer account of a reputable app, replace the app with a malicious one, get users to manually update it (as extra permissions would likely be needed to do anything malicious, so auto-update would require a user confirmation), hope that the user didn't spot that Angry Birds now needed full permission to do anything with your phone, all before either Google or the app dev pulled the plug?

As someone posted elsewhere, its like saying if there was a hacked malicious version of Adobe Photoshop on Pirate Bay it would indicate a security flaw with windows.

Well you can look at it like that, but focus is moving to mobile computing. OS writers could get away with anything, but that does not work anymore. Hackers are very inventive, MS has stories to tell about that. Any known problem should be dealt with and not marginalised. Because sooner or later somebody will find a way to exploit it. People store sensitive information on their phones, because they think it's safe there. I think a future of malware is in mobile phones and tablets.

So you think this is not a problem and google should do nothing about it? I wonder why samsung bothered to fix it on the S4.

I don't think its a big enough problem to be covered on the BBC, or to start a thread on, no. Of course it should be fixed, but in the meantime users should carry on as usual.

Do you think its particularly newsworthy?

update to tech crunch article


panic over.

TBH, more information is stored in the cloud than on phones, I think phishing attempts will remain the biggest threat to people's data for a good while to come. Thankfully even Facebook gives the option of two-step verification nowadays...

That update was actually made known yesterday, but it was conveniently ignored. Every platform is going to have its fair share of bumps and kinks along the road, but Google have shown that they're swift to act on these things, Apple have had one recently with the hotspot password fiasco.

It being newsworthy is a result of the popularity of android.

I would have thought it is very worthy of a discussion on this forum. After all, are we only meant to discuss positive news?

As I said earlier, my interest is how quickly google can go about fixing issues like this.

Yeah, that information was actually reported in most of the articles yesterday that covered the issue. The problem wasn't with distribution through Google Play.

Funny, I remember the thread where everyone was pointing out the massive advantage of all the app stores available. I hope they have all updated there process

Interesting that this is a non-issue but the Apple wifi hotspot thing was a 'fiasco'.

I think tighter app stores are an advantage, but it means more pressure on the central authority as we can see here.

as the risk is theoretical I'll continue using the other app stores. Malware tends to target the least informed users, who will, on the whole, only use Google Play. Additionally some stores, like Amazon's have a their own checking processes to prevent malware.

So I don't see how this perceived risk would prevent me continuing to save money

Ah right. I hope they release it soon.

Nowhere in my post did I suggest that it was a non-issue. As I have said, both platforms have had their fair share of issues.

However, at least Google have acknowledged the issue and have already begun applying fixes. I'm unsure as to whether Apple have even addressed the flaws in their system.

LOL No.

So we seem to be at the point that the only digital signature in question was a Play store one that has been corrected anyway.

Was there ever really a panic